New Identity Secure Score recommendations in General Availability

Last year, we emphasized our investments in Microsoft Entra recommendations within our Transparency in Adoption investment area. The primary objective of Microsoft Entra recommendations is to serve as a trusted advisor for enhancing security posture and improving employee productivity. Furthermore, it aims to provide actionable insights based on best practices and industry standards to assist in securing your organization. 

Since the launch of Microsoft Entra recommendations and the announcement of various recommendation releases, we would like to highlight that 11 new Identity Secure Score recommendations are now generally available. These recommendations are designed to strengthen your organization's security posture and offer actionable insights to help identify and effectively mitigate risks. 

Below are the latest Identity Secure Score recommendations and their details. 

• Require multifactor authentication (MFA) for administrative roles: Administrative roles have higher permissions than typical users. If any of those accounts are compromised, your entire organization is exposed. We recommend requiring MFA for administrative roles, which makes it harder for attackers to access accounts. 

• Ensure all users can complete MFA: Implementing additional authentication methods such as the Microsoft Authenticator app, Passkeys, or a phone number enhances security, even if one factor (something you know, have, or are) is compromised. It is crucial to safeguard devices and data accessible to users with MFA. We strongly recommend utilizing MFA to protect these devices and data effectively. 

• Enable policy to block legacy authentication: Today, most compromised sign-in attempts come from legacy authentication. Older office clients such as Office 2010 don’t support modern authentication and use legacy protocols such as IMAP, SMTP, and POP3. Legacy authentication doesn’t support MFA. Even if an MFA policy is configured in your environment, bad actors can bypass these enforcements through legacy protocols. We recommend enabling policy to block legacy authentication.  

• Do not expire passwords: Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex, and without any pragmatic words present), it should remain as strong in the future as it is today. It is Microsoft's official security position to not expire passwords periodically without a specific reason. We recommend that cloud-only tenants set the password policy to never expire. Learn more. 

• Protect all users with a user risk policy: With the user risk policy turned on, Microsoft Entra ID detects the probability that a user account has been compromised. As an administrator, you can configure a user risk Conditional Access policy to automatically respond to a specific user risk level. We recommend protecting your users with user risk Conditional Access policy. 

• Protect all users with a sign-in risk policy: Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for MFA. We recommend protecting your users for sign-in risk using sign-in risk policy. 

• Enable password hash sync if hybrid: Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Microsoft Entra Connect synchronizes a hash of a user's password from an on-premises Microsoft Entra Connect instance to a cloud-based Microsoft Entra Connect cloud sync instance. Password hash synchronization helps reduce the number of passwords your users need to maintain down to just one. Enabling password hash synchronization also allows for leaked credential reporting. We recommend you enable password hash synchronization if you are using hybrid configuration. 

• Do not allow users to grant consent to unreliable applications: To reduce the risk of malicious applications attempting to trick users into granting them access to your organization's data, we recommend that you allow user consent only for applications that have been published by a verified publisher.  

• Use least privileged administrative roles: Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a privileged account being breached. We recommend you ensure that your administrators can accomplish their work with the least amount of privilege assigned to their account. 

• Designate more than one Global Admin: Having more than one Global Administrator helps in case of account lockout and for emergency access. It's important to have a delegate or an emergency access account that someone from your team can access if necessary. It also allows admins the ability to monitor each other for signs of a breach. We recommend you designate more than one Global Administrator for emergency access. 

• Enable self-service password reset: With self-service password reset in Microsoft Entra ID, users no longer need to engage their helpdesk to reset passwords. This feature works well with Microsoft Entra dynamically banned passwords, which prevents easily guessable passwords from being used. We recommend that you enable self-service password reset for your users. 

To find your Identity Secure Score recommendations, go to the Microsoft Entra admin center and navigate to Identity > Overview > Recommendations. On the recommendation homepage, filter by "Category" and select "Identity Secure Score." Alternatively, use the new Recommendations feature by selecting the Security Recommendations filter at the top of the search bar on the overview page. 

Benefits of the New Secure Score Recommendations 

Our new secure score recommendations offer several key benefits: 

• Improved security posture: By implementing these recommendations, organizations can gain valuable insights into minimizing threat exposure, safeguarding their assets, and preserving trust with customers and stakeholders. 
• Actionable insights: Each recommendation comes with clear, actionable steps to help you address specific security concerns. 
• Comprehensive coverage: The recommendations cover a broad range of security aspects, ensuring a holistic approach to securing your digital environment. 

What’s new? 

We're excited to highlight two additional new features now available with these recommendations: 

Secure Score Trend Chart: This chart allows customers to track the progress of their secure score over time. By monitoring these trends, organizations can gauge the effectiveness of their security measures and make data-driven decisions to further enhance their security posture. You can access the secure score history data using the Tenant Secure Score API.  

 

Detailed List of User Entities: This feature provides a comprehensive list of user entities, enabling you to easily validate and take necessary actions for the relevant impacted user entities. With precise user entity information, you can identify potential risks and ensure that appropriate security measures are implemented. You can also access the list of impacted resources using the impacted resources API. 

 

 

To remain updated with the available Recommendations, please visit Microsoft Entra recommendations. We are continuously introducing new Recommendation features to enhance value. In the coming months, we are set to launch Zero Trust recommendations to help you optimize your implementation of the Zero Trust framework, as well as Microsoft Entra Suite recommendations to guide your product usage scenarios and provide the most effective ways to utilize your Microsoft Entra Suite license.

Learn more about Microsoft Entra: 

• What are Microsoft Entra recommendations? 
• Entra Recommendation APIs 
• See recent Microsoft Entra blogs 
• Dive into Microsoft Entra technical documentation 
• Learn more at Azure Active Directory (Azure AD) rename to Microsoft Entra ID 
• Join the conversation on the Microsoft Entra discussion space 
• Learn more about Microsoft Security